Review of Network Security Hacks Posted

Amazon.com just posted my four star review of Network Security Hacks. My review probably sounds a little harsher than I intended, but I was worn down trying to get SPADE to integrate with a version of Snort newer than 2.0.5. The review mentions finding Spade 030125.1 on a Polish student's FTP site, which seems to be the only place it exists, aside from an old Archive.org copy. It seems the snort.conf v. 1.85 is the last to include SPADE directions in its text, even though the contrib directory has a really old SPADE version (Spade-092200.1.tar.gz), from Sep 00. Anyway, from the review:

"'Network Security Hacks' (NSH) has something for nearly everyone, although it focuses squarely on Linux, BSD, and Windows, in that order of preference. Administrators for commercial UNIX variants (Solaris, AIX, HP-UX, etc.) should be able to apply much of the book's advice to their environments, but they are not the target audience. NSH is written for admins needing quick-start guides for common security tools, and in this respect it delivers."

Read More

Review of Secure Architectures with OpenBSD

Amazon.com just posted my five star review of Secure Architectures with OpenBSD. From the review:

"About a year ago I read and reviewed Michael Lucas' excellent "Absolute OpenBSD." That book covered OpenBSD 3.2 and the CURRENT of that time, pre-3.3. Palmer and Nazario's "Secure Architectures with OpenBSD" (SAWO) addresses OpenBSD 3.4, which at the time of writing is just behind the current release (3.5). Lucas' book is an excellent introduction to OpenBSD by a relative outsider; SAWO is a more detailed discussion by insiders. Each has its strengths and I highly recommend both."

Read More

Contribute Your dmesg Output

Do you run one of the BSDs? If so, consider sending the output of the dmesg command to the New York City BSD User's Group dmesg board. This is a great way to share information on supported hardware. I learned about this site through BSDNews.com. A response to that story mentioned this site which tracks SMP systems running FreeBSD.

Read More

Interesting Email from Stephen Northcutt... or not?

If you're on a SANS mailing list you might have received the following email from "Stephen Northcutt." I haven't decided if it's true or not. I'm wondering why I would have received it, unless someone forged the message after acquiring a SANS email list? The alternative means Stephen Northcutt himself is making some odd claims...

"From - Thu Jun 24 22:27:26 2004
X-UIDL: 40a19c3900000b29
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path:
...edited...
X-ClientAddr: 63.100.47.56
Received: from 63-100-47-56.sans.org (63-100-47-56.sans.org [63.100.47.56])
...edited...
Date: Fri, 25 Jun 2004 2:14:37 +0000
Message-Id: <2004062521561.QJA00262@stinger.sans.org>
From: Stephen Northcutt
Subject: Stephen Northcutt needs your help
Precedence: bulk
Errors-To:
Sender:
To: Richard Bejtlich (SD599258)
...edited...

Hello,

This note is intended for U.S. citizens and is a personal note from Stephen Northcutt. For the past few weeks CERT and SEI, DoD government funded organizations, have been purchasing google adwords so that when people search for "SANS Training" they see an advertisement for CERT/SEI's network manager course.

I have a couple of concerns about this. The first is trademark or brand related, when you search for SANS training, you should get SANS training. Other competing commercial training companies have also engaged in this behavior and when I have written them and asked if this how they want to be remembered by the security community, they have discontinued this practice. I wrote cert@cert.org a couple weeks ago and they continue this practice.

My second concern is that the government offering the course violates the spirit and letter of OMB A 76. "Two of the key principles of Circular A-76 has always been that "in the process of governing, the Government should not compete with its citizens" and that "a commercial activity is not a governmental function."
http://www.whitehouse.gov/omb/circulars/a076/comments/a76-289.pdf

The course:
http://www.sei.cmu.edu/products/courses/cert/infosec-net-mgrs.html

The funding:
http://www.sei.cmu.edu/about/about.html
http://www.cert.org/faq/cert_faq.html#A4

My third concern is the amount of tax we pay as citizens. The government is in the process of authorizing about 481 billion dollars for DoD spending. The Department of Defense clearly has too much money if they can afford to create training that mirrors material widely available from SANS, MISTI, CSI, Intense School and other training organizations. I believe the money spent on CERT, SEI and the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics should each be reduced by at least 10% immediately.

So I am asking for your help. If you agree with me please write your congress person and either use this note as a base or write your own. I would be honored if you would copy me, Stephen@sans.org. If you don't agree with me, or don't want to help me, that is fine, but before you send me a knee jerk email flame would you do three things. Look at your last paycheck stub and remind yourself how much tax you pay, second, consider the impact of the U.S. deficit (http://www.brillig.com/debt_clock/ ) and finally think about how you would feel if the government decided to compete in a disreputable manner with a course that took you months to write, SANS Security Leadership. After that, if you disagree with me, I would love to hear what you have to say. So please help me and write your congressman and tell them your home address, make sure they know you vote and you agree that the government has no business wasting taxpayer money competing with a course Stephen Northcutt does a better job of anyway.

To find your representative:
http://www.house.gov/writerep/

To find your congressional representative, the best link I could find is:
http://www.senate.gov/

Thank you for taking the time to help! Needless to say, I write this note as a private citizen and the author of SANS Security Leadership and am certain this note does not reflect the collective views and opinions of The SANS Institute.

Stephen Northcutt
Stephen@sans.org
(808) 823-1375"

This sounds like a hoax to me... can anyone confirm it? "...make sure they know you vote and you agree that the government has no business wasting taxpayer money competing with a course Stephen Northcutt does a better job of anyway." If this is a true statement by Stephen, I'd be surprised.

Read More

Burning DVDs in FreeBSD

Yesterday I reported my results burning CDs with FreeBSD. This morning I tried creating a DVD of the Fedora Core 2 distribution. After I downloaded the 4.1 GB .iso from a mirror, I used MD5 to verify the checksum matched. Since the .iso was ready to burn, I set up my Plextor burner.

First I checked the media, which was Memorex 4X DVD-R 4.7GB (pictured at left, purchased at buy.com). I had already installed dvd+rw-tools, available in the ports tree as sysutils/dvd+rw-tools. Using the dvd+rw-mediainfo command, I checked the DVD in the burner:

# dvd+rw-mediainfo /dev/cd0
INQUIRY:                [PLEXTOR ][DVDR   PX-708A  ][1.06]
GET [CURRENT] CONFIGURATION:
 Mounted Media:         11h, DVD-R Sequential
 Media ID:              ProdiscS03
 Current Write Speed:   4.0x1385=5540KB/s
 Write Speed #0:        4.0x1385=5540KB/s
 Write Speed #1:        2.0x1385=2770KB/s
 Write Speed #2:        1.0x1385=1385KB/s
GET [CURRENT] PERFORMANCE:
 Write Performance:     4.0x1385=5540KB/s@[0 -> 2294911]
 Speed Descriptor#0:    02/2298495 R@8.0x1385=11080KB/s W@4.0x1385=5540KB/s
 Speed Descriptor#1:    02/2298495 R@8.0x1385=11080KB/s W@2.0x1385=2770KB/s
 Speed Descriptor#2:    02/2298495 R@8.0x1385=11080KB/s W@1.0x1385=1385KB/s
READ DVD STRUCTURE[#10h]:
 Media Book Type:       25h, DVD-R book [revision 5]
 Legacy lead-out at:    2298496*2KB=4707319808
READ DVD STRUCTURE[#0h]:
 Media Book Type:       25h, DVD-R book [revision 5]
 Last border-out at:    0*2KB=0
READ DISC INFORMATION:
 Disc status:           blank
 Number of Sessions:    1
 State of Last Session: empty
 Number of Tracks:      1
READ TRACK INFORMATION[#1]:
 Track State:           invisible incremental
 Track Start Address:   0*2KB
 Next Writable Address: 0*2KB
 Free Blocks:           2297888*2KB
 Track Size:            2297888*2KB

Everything looked ready to go, so I proceeded according to the directions in the FreeBSD Handbook:

# growisofs -dvd-compat -Z /dev/cd0=FC2-i386-DVD.iso
Executing 'builtin_dd if=FC2-i386-DVD.iso of=/dev/pass0 obs=32k seek=0'
/dev/pass0: "Current Write Speed" is 4.1x1385KBps.
         0/4370640896 ( 0.0%) @0x, remaining ??:??
         0/4370640896 ( 0.0%) @0x, remaining ??:??
   8421376/4370640896 ( 0.2%) @1.8x, remaining 103:35
  27066368/4370640896 ( 0.6%) @3.9x, remaining 40:07
  45744128/4370640896 ( 1.0%) @3.9x, remaining 29:56
...edited...
4336517120/4370640896 (99.2%) @3.9x, remaining 0:06
4355194880/4370640896 (99.6%) @3.9x, remaining 0:02
builtin_dd: 2134112*2KB out @ average 3.9x1385KBps
/dev/pass0: flushing cache
/dev/pass0: updating RMA
/dev/pass0: closing disc

When I was done, I checked the media again:

# dvd+rw-mediainfo /dev/cd0
INQUIRY:                [PLEXTOR ][DVDR   PX-708A  ][1.06]
GET [CURRENT] CONFIGURATION:
 Mounted Media:         11h, DVD-R Sequential
 Media ID:              ProdiscS03
 Current Write Speed:   4.0x1385=5540KB/s
 Write Speed #0:        4.0x1385=5540KB/s
 Write Speed #1:        2.0x1385=2770KB/s
 Write Speed #2:        1.0x1385=1385KB/s
GET [CURRENT] PERFORMANCE:
 Write Performance:     4.0x1385=5540KB/s@[0 -> 2294911]
 Speed Descriptor#0:    02/2298495 R@8.0x1385=11080KB/s W@4.0x1385=5540KB/s
 Speed Descriptor#1:    02/2298495 R@8.0x1385=11080KB/s W@2.0x1385=2770KB/s
 Speed Descriptor#2:    02/2298495 R@8.0x1385=11080KB/s W@1.0x1385=1385KB/s
READ DVD STRUCTURE[#10h]:
 Media Book Type:       25h, DVD-R book [revision 5]
 Legacy lead-out at:    2298496*2KB=4707319808
READ DVD STRUCTURE[#0h]:
 Media Book Type:       25h, DVD-R book [revision 5]
 Last border-out at:    2134112*2KB=4370661376
READ DISC INFORMATION:
 Disc status:           complete
 Number of Sessions:    1
 State of Last Session: complete
 Number of Tracks:      1
READ TRACK INFORMATION[#1]:
 Track State:           complete incremental
 Track Start Address:   0*2KB
 Free Blocks:           0*2KB
 Track Size:            2134112*2KB
 Last Recorded Address: 2134111*2KB
FABRICATED TOC:
 Track#1  :             14@0
 Track#AA :             14@2134112
 Multi-session Info:    #1@0

I then mounted the DVD:

# mount -t cd9660 /dev/cd0 /cdrom
# ls /cdrom
.discinfo                       RPM-GPG-KEY-fedora
Fedora                          RPM-GPG-KEY-fedora-rawhide
GPL                             RPM-GPG-KEY-fedora-test
README-Accessibility            RPM-GPG-KEY-rawhide
README-en                       SRPMS
README-en.html                  TRANS.TBL
RELEASE-NOTES-en                autorun
RELEASE-NOTES-en.html           eula.txt
RPM-GPG-KEY                     images
RPM-GPG-KEY-beta                isolinux

It worked. I also mounted the DVD as /dev/acd0 on my ThinkPad, which appears to dmesg as the following:

acd0: DVDROM  at ata1-master UDMA33

I got this result by having 'hw.ata.atapi_dma=1' set in /boot/loader.conf. Without that setting, here is how the same drive appeared in dmesg:

acd0: DVDROM  at ata1-master PIO4

For reference, here is atacontrol output for the laptop:

$ sudo atacontrol list
ATA channel 0:
    Master:  ad0  ATA/ATAPI rev 5
    Slave:       no device present
ATA channel 1:
    Master: acd0  ATA/ATAPI rev 0
    Slave:       no device present

Having ATAPI DMA enabled helps with performance, according to this thread by someone having trouble burning with the same device I have. I believe because that posted is using an internal Plextor connected via ATA, he is in a different situation. I use a FireWire adapter on my laptop and desktop to connect my external Plextor drive.

Read More

Duplicating Data CDs with FreeBSD

I needed to become familiar with burning CDs on FreeBSD to support plans for live CD-based systems. I recently bought a Plextor PX-708UF DVD+-R/RW CD-R/RW drive and an Adaptec DuoConnect PC Card Adapter. I already reported on how these appear to FreeBSD.

For testing purposes and to create my own media set, I duplicated the three CD-ROMs released as Fedora Core 2. To convert the CD-ROM into a .iso file for burning, I used this syntax:

dd if=/dev/cd0 of=/var/iso/fedora_core_disc3.iso bs=2048

Here's a few notes on this command. /dev/cd0 is how my Plextor drive appears to FreeBSD. My laptop's native CD/DVD reader is /dev/acd0. I could not get this command to work without including 'bs=2048'. I learned why after reading a FreeBSD Diary entry:

"Data on CDs is written in blocks of 2 kB. By default dd reads 512
bytes at a time, and the CD driver doesn't support this. It would
work if you use bs=2k."

When I tried dd without the bs=2048 argument, I got this error:

dd: /dev/acd0: Invalid argument

I also tried acquiring the .iso using my native CD/DVD reader. I got this error, although the .iso creation seemed to work ok:

acd0: FAILURE - READ_BIG status=51
 sensekey=ILLEGAL REQUEST error=1

Others have reported this issue, and some suggested editing /boot/loader.conf accordingly:

hw.ata.atapi_dma=0

This didn't fix the issue for me, so I acquired the .iso using the Plextor. It produced no visible errors.

When the process was done I wanted to check if the resulting .iso matched the CD from which it was derived. From Kris Kennaway I learned this command to get a MD5 hash of the original CD:

dd if=/dev/cd0 bs=2048 | md5

I then compared that output with the result of running md5 on this .iso. If they matched, the copy was good. This was the case. However, the MD5 hashes did not match the versions available at the Fedora site. As I trust the source of these CDs, I assume the difference is a result of taking an original Red Hat .iso, burning it to CD, and then deriving an image of that CD in .iso format. Perhaps the block sizes did not match up exactly?

To burn the new .iso to CD-R, I had to install cdrecord, found in sysutils/cdrecord. The first task was to ensure cdrecord could find my drive:

# cdrecord -scanbus
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
Using libscg version 'schily-0.7'
scsibus0:
        0,0,0     0) 'PLEXTOR ' 'DVDR   PX-708A  ' '1.06' Removable CD-ROM
        0,1,0     1) *
        0,2,0     2) *
        0,3,0     3) *
        0,4,0     4) *
        0,5,0     5) *
        0,6,0     6) *
        0,7,0     7) *

Once I knew where to find the drive, I checked what options it supported:

# cdrecord -v dev=0,0,0 -checkdrive driveropts=help
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
TOC Type: 1 = CD-ROM
scsidev: '0,0,0'
scsibus: 0 target: 0 lun: 0
Using libscg version 'schily-0.7'
Driveropts: 'help'
atapi: 0
Device type    : Removable CD-ROM
Version        : 0
Response Format: 1
Vendor_info    : 'PLEXTOR '
Identifikation : 'DVDR   PX-708A  '
Revision       : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD.
Driver options:
burnfree        Prepare writer to use BURN-Free technology
noburnfree      Disable using BURN-Free technology
varirec=val     Set VariRec Laserpower to -2, -1, 0, 1, 2
                        Only works for audio and if speed is set to 4

Now that I knew what options to use, I burned the .iso to the CD-R. You'll see I enabled 'burnfree,' defined in the man page as "Turn the support for Buffer Underrun Free writing on."

# cdrecord -v dev=0,0,0 speed=8 driveropts=burnfree -eject 
 -data /var/iso/fedora_core_2_disc3.iso
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
TOC Type: 1 = CD-ROM
scsidev: '0,0,0'
scsibus: 0 target: 0 lun: 0
Using libscg version 'schily-0.7'
Driveropts: 'burnfree'
atapi: 0
Device type    : Removable CD-ROM
Version        : 0
Response Format: 1
Vendor_info    : 'PLEXTOR '
Identifikation : 'DVDR   PX-708A  '
Revision       : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD.
Using generic SCSI-3/mmc CD-R driver (mmc_cdr).
Driver flags   : MMC-3 SWABAUDIO BURNFREE VARIREC 
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R
Drive buf size : 1190112 = 1162 KB
FIFO size      : 4194304 = 4096 KB
Track 01: data   637 MB        
otal size:      732 MB (72:35.06) = 326630 sectors
Lout start:      732 MB (72:37/05) = 326630 sectors
Current Secsize: 2048
ATIP info from disk:
  Indicated writing power: 5
  Is not unrestricted
  Is not erasable
  Disk sub type: Medium Type A, high Beta category (A+) (3)
  ATIP start of lead in:  -11634 (97:26/66)
  ATIP start of lead out: 359846 (79:59/71)
Disk type:    Short strategy type (Phthalocyanine or similar)
Manuf. index: 3
Manufacturer: CMC Magnetics Corporation
Blocks total: 359846 Blocks current: 359846 Blocks remaining: 33216
Starting to write CD/DVD at speed 8 in real TAO mode for single session.
Last chance to quit, starting real write    0 seconds. Operation starts.
Waiting for reader process to fill input buffer ... input buffer ready.
BURN-Free is OFF.
Turning BURN-Free on
Performing OPC...
Starting new track at sector: 0
Track 01:    0 of  637 MB written.
...edited...
Track 01: Total bytes read/written: 668934144/668934144 (326628 sectors).
Writing  time:  552.030s
Average write speed   8.0x.
Min drive buffer fill was 99%
Fixating...
Fixating time:   32.601s
cdrecord: fifo had 10537 puts and 10537 gets.
cdrecord: fifo was 0 times empty and 10463 times full, min fill was 90%.

At some point in the future I'll use the drive to create DVDs, and report how that turned out as well.

The fact that I burned these CDs isn't rocket science, but I wanted to show the gear I used in case other people are looking to buy CD/DVD burners for FreeBSD.

I used a few other resources when learning how to burn CDs, including the FreeBSD Handbook and CD Burning from the Command Line.

Read More

Fedora Core 2-based Soekris System Operational

I'm not a big Linux user, but a lot of people like Fedora Core. Using the same methodology I used with FreeBSD and OpenBSD, I just installed Fedora Core 2 on a spare HDD on my laptop, then transferred that HDD to the Soekris.

Here are a few notes on peculiarities of Fedora. I chose a "custom installation," and selected "no packages." That still deployed about 562 MB of packages as part of the base OS installation. Thankfully only the first CD was needed. When I finished the installation, I rebooted the laptop to edit key files to allow serial access. I made important changes to /etc/grub.conf, thanks to this Remote Serial Console HOWTO:

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,0)

#          kernel /vmlinuz-version ro root=/dev/hda2

#          initrd /initrd-version.img

#boot=/dev/hda

default=0

#timeout=10

#splashimage=(hd0,0)/grub/splash.xpm.gz

serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1

terminal --timeout=10 serial console

title Fedora Core (2.6.5-1.358)

        root (hd0,0)

        kernel /vmlinuz-2.6.5-1.358 ro root=LABEL=/ console=tty0 console=ttyS0,9600n8

        initrd /initrd-2.6.5-1.358.img

After editing /etc/grub.conf, I shut down the laptop and moved the HDD to the Soekris. When it booted, I didn't see the Grub menu as expected. I hit return a few times and then saw boot messages scroll by. Kudzu started, due to the hardware differences between my laptop and the Soekris. Although the screen wasn't as legible as I would have hoped, I could still make out the text and configuration options. I chose to deinstall the laptop hardware no longer present on the Soekris, like its NIC, sound card, and so on. Kudzu then asked to install the Soekris National Semiconductor DP83815 MacPhyter NICs and Compaq ZFMicro Chipset USB. Along the way it also asked if I approved of making changes top /etc/inittab and /etc/securetty. It appears to have made these changes:

/etc/inittab

co:2345:respawn:/sbin/agetty ttyS0 9600 vt100

/etc/securetty

ttyS0

The addition to /etc/inittab appears to enable the serial console. The addition to /etc/securetty allows root to log in over the serial console.

Unlike FreeBSD but like OpenBSD, it appears Fedora Core 2 does not recognize my Linksys USB200M 10/100 NIC. Here is the uname, netstat, and df outputs for reference. Note the filesystem layout is the result of "autopartition." I've never understood why Red Hat doesn't create separate partitions for /, /usr, /var, /tmp, and so on.

uname -a

Linux localhost.localdomain 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i586 i586 i386 GNU/Linux



netstat -natup

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address       Foreign Address     State       PID/Program name   

tcp        0      0 0.0.0.0:1024        0.0.0.0:*           LISTEN      1652/rpc.statd      

tcp        0      0 0.0.0.0:111         0.0.0.0:*           LISTEN      1633/portmap        

tcp        0      0 127.0.0.1:25        0.0.0.0:*           LISTEN      1827/sendmail: acce 

tcp        0      0 :::22               :::*                LISTEN      1806/sshd           

tcp        0    672 ::ffff:10.2.2.69:22 ::ffff:10.2.2:57811 ESTABLISHED 2160/0              

udp        0      0 0.0.0.0:1024        0.0.0.0:*                       1652/rpc.statd      

udp        0      0 0.0.0.0:68          0.0.0.0:*                       1179/dhclient       

udp        0      0 0.0.0.0:980         0.0.0.0:*                       1652/rpc.statd      

udp        0      0 0.0.0.0:111         0.0.0.0:*                       1633/portmap        



df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/hda2              55G  548M   51G   2% /

/dev/hda1              99M  5.9M   88M   7% /boot

none                   63M     0   63M   0% /dev/shm

Read More